CVE-2019-19920

Published: 22 December 2019

sa-exim 4.2.1 allows attackers to execute arbitrary code if they can write a .cf file or a rule. This occurs because Greylisting.pm relies on eval (rather than direct parsing and/or use of the taint feature). This issue is similar to CVE-2018-11805.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
sa-exim
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 20.10 (Groovy Gorilla) Not vulnerable
(4.2.1-19)
Ubuntu 20.04 LTS (Focal Fossa) Not vulnerable
(4.2.1-19)
Ubuntu 18.04 LTS (Bionic Beaver) Needs triage

Ubuntu 16.04 LTS (Xenial Xerus)
Released (4.2.1-14+deb8u1build0.16.04.1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist